Why Secure Email Is A Myth Worth Busting With A Sledgehammer

Email is the “killer app” that took over the world to become one of the most ubiquitous forms of digital communication, and after two decades it’s become abundantly clear that secure email is something of a myth.

Email is everywhere – in phones, tablets, every computer and gaming devices, some fridges, cars, doorbells – you name it.

If you’re on the Internet, you have an email address (most likely several).

Private Email – Is There Such A Thing?

Most of us have setup one or two free email accounts with big USA corporations such as Outlook/Hotmail from Microsoft, Yahoo Mail or Gmail from Google.

But if you ever thought your email was private, the joke’s on you. Seriously.

"Google’s policy is to get right up to the creepy line and not cross it."Eric Schmidt, Google

Share This Quote:

Consumer Watchdog’s privacy project director, John Simpson said,

"People should take them at their word; if you care about your email correspondents’ privacy, don’t use Gmail."

But Google is not saying that its staff are free to read your emails. Rather, emails pass through its systems as part of the normal process of delivering them. Most email providers do this anyway as a way of identifying spam emails and put them in a junk folder. Google just adds a few extra reasons, such as displaying targeted advertising.

Email was not designed with any privacy or security in mind from the start.

US government agencies have taken full advantage of email’s lax security through NSA programs, such as PRISM and XKeyscore.

Even self-described secure email services like Lavabit (reportedly used by NSA leaker Edward Snowden) and Silent Circle have shut down in the wake of the US government surveillance programs citing the now-known fact that they cannot promise secure email.

My Personal Domain’s Email Is Secure, Right?

Your webhost and your personal computer may very well be secure and free from spying. But the moment your email leaves your computer or your webhost’s servers, it will travel through parts of the Internet that are not secure or out of reach from NSA spying programs.

Additionally, just because your own email servers may be secure, that doesn’t mean the recipient’s servers are too. If you are sending an email to any US company or one that has servers in the US, your email would likely be scooped up.

From a technical point of view, it’s not just the servers themselves that can be compromised and spied on. The structure of networks means each direction of communication involves a series of routers and switches owned and operated by different companies. If one connection is secure, there’s no guaranteeing any other connection in the sequence is secure.

NSA’s PRISM surveillance program indicates that the spying takes place at these interim network points.

How To Secure Email

The first step the average Internet user should take to secure email is to use a strong password.

The next best method to secure communications is to encrypt them. This means scrambling the data with complex mathematical transformations.

Instead of sending plain text anyone can read, your encrypted message is scrambled. The intended recipient has a ‘key’ that is used to unlock the encryption and convert it back into readable text.

The question then, is how do you get your key to the recipient securely. You can’t just email it in plain text, because then anyone (ie NSA) can scoop up the key and decrypt all of your messages.

The only really safe way to exchange public keys is face-to-face so you can see the conundrum. The reality is that, unless you are at a James Bond level of paranoia, email encryption is not a practical solution for secure email.

Even if you were to encrypt all your emails, it’s only the message contents and attachments that are scrambled. The header information is not, which includes your address, the recipient’s address, subject, date, and other identifying information. This so-called metadata is also scooped by by NSA surveillance.

The best way to secure email is to use end-to-end SSL encryption, but even then, once the email reaches it’s destination, you don’t know the ‘true’ security of their servers.

To Worry Or Not To Worry

Secure email? Ha! No such thing, it seems. Email has never been secure, and it looks like we’re a far way off from getting there.

Those who argue “if you’ve done nothing wrong, you’ve got nothing to worry about” may not care about their own privacy or anyone else’s.

Should personal privacy be a fundamental human right? I certainly think so.